SupportKB
Problem Description:
When starting Ranger admin, it fails to start up with the following error:
- [I] Java patch PatchPasswordEncryption_J10001 is being applied by some other process
The Ranger Admin service fails to start even after completely removing Ranger service, dropping Ranger database and reinstalling Ranger:
- 2017-10-20 13:29:32,536 [JISQL] /usr/java/default/bin/java
- -cp /usr/hdp/current/ranger-admin/ews/lib/mysql-connector-java.jar:
- /usr/hdp/current/ranger-admin/jisql/lib/*
- org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql:
- //ost-cdc-asi-nam-c04-data.linux.abc.corp.abc.com/ranger_hdp -u
- 'ranger-hdp' -p '********'
- -noheader -trim -c \; -query "delete from x_db_version_h where version='J10001' and
- active='N' and updated_by='test.support.com';"
- SQLException : SQL state: HY000 java.sql.SQLException: null, message from server:
- "Host '10.0.0.1' is blocked because of many connection errors; unblock with
- 'mysqladmin flush-hosts'" ErrorCode: 1129
- 2017-10-20 13:29:32,838 [E] applying java patch PatchPasswordEncryption_J10001 failed
Cause:
This issue occurs on latest versions of CentOS/RHEL releases (for example CentOS/RHEL 6.7 or later, and CentOS/RHEL 7), where "Encrypted Connections" (SSL) feature is enabled by default in MySQL. If the database client (Ranger in this case) is not configured to use SSL, the connection will fail and the following is displayedin the log as well:
- WARN: Establishing SSL connection without server's identity verification is not recommended.
- According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default
- if explicit option isn't set.
- For compliance with existing applications not using SSL the verifyServerCertificate property
- is set to 'false'.
- You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
The database client will keep connecting until it reaches the limit of MySQL's crude anti-cybercriminal feature. If MySQL's crude anti-cybercriminal feature has been activated, when a database client has tried and failed to connect MySQL for many times (by default, 100) the MySQL concludes that the machine is compromised and refuses to accept any more connections from it. That's when Ranger admin fails with the "blocked because of many connection error".
Solution:
To resolve this issue, disable the Encrypted Connections (SSL) feature in MySQL by adding skip_ssl in my.cnf and restart mysqld service:
- Log in to MySQL and query:
- mysql> SHOW VARIABLES LIKE '%ssl%';
- The following should be like the following, which suggests the SSL is enabled in MySQL:
- +---------------+-----------------+ | Variable_name | Value |
- "+---------------+-----------------+ | have_openssl | YES | |
- have_ssl | YES | | ssl_ca | ca.pem | | ssl_capath | | | ssl_cert |
- server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | |
- ssl_key | server-key.pem | +---------------+-----------------+ 9 rows in set (0.00 sec)
- Edit my.cnf file to add skip_ssl:
- [mysqld]
- ...
- skip_ssl
- # disable_ssl
- ...
- Restart MySQL service:
- service mysql restart
- Re-log in to MySQL and run the same query. Ensure SSL is disabled:
- +---------------+----------+
- | Variable_name | Value |
- +---------------+----------+
- | have_openssl | DISABLED |
- | have_ssl | DISABLED |
- | ssl_ca | |
- | ssl_capath | |
- | ssl_cert | |
- | ssl_cipher | |
- | ssl_crl | |
- | ssl_crlpath | |
- | ssl_key | |
- +---------------+----------+
- 9 rows in set (0.00 sec)
- Restart Ranger admin service.
About:
This article created by Hortonworks Support (Article: 000006653) on 2017-11-03 14:00
OS: n/a
Type: n/a
Version: n/a